Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer
DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2
What is an DoS Attack? Denial-of-Service attack (DoS attack) an attempt to make a machine or network resource unavailable to its intended users. Distributed Denial-of-service attack (DDoS) is coordinated and simultaneously launched from multiple sources 3
(D)DoS Attack Methods and Tools Attacks can be partitioned into three dimensions Network DoS Attack Application flood DoS attacks Directed application DoS attacks Consuming bandwidth resources Target the application resources Exploit application implementation weaknesses 4
Attackers Use Multi-Layer DDoS Simultaneous Attack Vectors Large-volume network flood attacks SYN flood attack (e.g., Socket stress) Application vulnerability High and slow application DoS attacks Web attacks: brute force login locked 1 successful attack vector = No service 5
Is there any attacks? 6
Is there any tools available? 7
Going for layer 7 8
9
rent it. 10
Traditional Firewalls Not Sufficient Not Designed for Network and Application DDoS Protection Basic rate based flood protection affects all traffic (Real users and attack traffic) Lacks Comprehensive Layer 7 DDoS protection Poor detection of sly attacks No filters to block attacks and allow real traffic Administrators cannot create custom signatures 11
Introducing Check Point Check Point DDoS Protector Block Denial of Service Attacks within seconds! 12
Product Information DP x06 Series DP x412 Series Model DP 506 DP 1006 DP 2006 DP 3006 DP 4412 DP 8412 DP 12412 Capacity 0.5Gbps 1Gbps 2Gbps 3Gbps 4GBps 8Gbps 12Gbps Max Concurrent Sessions Max DDoS Flood Attack Protection Rate Latency 2 Million 4 Million 1 Million packets per second 10 Million packets per second <60 micro seconds Real-time signatures Detect and protect against attacks in less than 18 seconds 13
Where to Protect Against DDoS Scenarios: 1 2 3 On-Premise Deployment DDoS Protector Appliance + Off-Site Deployment DDoS Protector Appliance 14
Integrated Security Management Unified Logs and Monitoring Leverage SmartView Tracker, SmartLog and SmartEvent for historic and realtime security status 15
DDoS Protector Logs For attacks with multiple sources / destinations. the DDoS Protector appliance sends several logs to describe the attack With status: start, ongoing, completed And other logs with samples for source / destination (with status: sampled). 16
DDoS Protector Integration In SmartView Tracker and SmartLog, each log and log update is being presented separately. In SmartEvent, the attack is consolidated into one event. Therefore SmartEvent In the Event Card, you are able to see the list of all sampled source IPs / destination IPs. 17
Real time monitoring with SNMP This realtime monitoring is achived with CactiEZ delivered under GPL. Normal Traffic Currently under attack 18
DDos Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 19
HTTP Flood Scenarios Typical Distributed Attack IRC Server HTTP Bot (Infected host) BOT Command Misuse of Service Resources HTTP Bot (Infected host) Internet Attacker Public Web Servers HTTP Bot (Infected host) HTTP Bot (Infected host) 20
Setting BDoS Network Policy Protect Network & Servers from DDoS Policies are set with: Source = Any Destination = Server Segments Policy1: & Network Segment Destination = all protected network DNS Servers Web Servers Internet BDoS global network profile DDoS Protector Mail Servers Policy 2: Destination = Mail servers only 2012 Check Point Software Technologies Slide Ltd. 21 21
Setting BDoS Network Policy Attack Mitigation per Network Policy B/W Configured Bandwidth Policy 1 Attack Blocked Learned Policy 1 All Servers (100% Traffic) Configured Bandwidth Policy 2 DNS Attack Footprint analysis and optimization Attack Detected Allowed DNS traffic Learned Policy 2 DNS Servers (10% Traffic) Time 2012 Check Point Software Technologies Slide Ltd. 22 22
Setting BDoS Network Policy Global Policy: Low Attack Detection Sensitivity B/W Configured Bandwidth Policy 1 Learned Policy 1 All Servers (100% Traffic) Attack Not Detected DNS Attack Time 2012 Check Point Software Technologies Slide Ltd. 23 23
Setting BDoS Network Policy Unknown bandwidth per policy B/W Configured Bandwidth Configured Bandwidth Learned Attack Blocked Policy 1 Policy 2 Policy 1 All Servers (100% Traffic) Learned DNS Attack Attack Detected Allowed DNS traffic Footprint analysis and optimization Policy 2 DNS Servers (10% Traffic) Time 2012 Check Point Software Technologies Slide Ltd. 24 24
Adaptive Decision Engine Z-axis HTTP Flood Attack area High DoA X-axis Attack Degree axis Abnormal URL size distribution ratio Suspicious area Normal adapted area Y-axis 2012 Check Point Software Technologies Slide Ltd. 25 25
Adaptive Detection Engine Flash crowd scenario Degree of Attack (DoA) Attack area Suspicious area Low DoA Normal adapted area Rate-invariant input parameter (Normal URL size distribution ratio ) Rate parameter input 26
Adaptive Detection Engine Resistance to False Positive Case: Flash Crowd Access Behavioral Pattern Detection (1) Based on probability analysis identify which web page (or pages) Legitimate has higher User than normal hits Legitimate traffic alowed No real time signature is generated No user is blocked Legitimate User Internet Behavioral Pattern Detection (2) No detection of abnormal user activity Legitimate User Public Web Servers Legitimate User 27
Attack Statistical Footprint Detection analysis Public Network BDoS Flow Generating Real-time Signature Mitigation optimization process Initial Filter Closed feedback Inbound Traffic Initial filter is generated: Packet Filter ID Optimization: ID ID AND AND IP Packet ID AND Source IP IP AND AND Packet size size AND TTL Blocking Rules Outbound Traffic LAN Filtered Traffic PPS, Bandwidth, protocol types distribution[%], Final Filter TCP Start flags (syn,fin,rst,..)distribution[%]; inbound- Learning mitigation 0 10 10+X RT statistics Attack Characteristics Source/Destination IP Source/Destination Port Packet Narrowest size filters Type of Service Packet ID TTL (Time To Live) Source IP Address DNS Query Packet size DNS ID TTL (Time To Live) Packet ID TCP sequence number Fragment offset 123) Transparent closed feedback Time [sec] Adaptive Detect Engine RT Signatures Degree of Attack = High Low Degree of Attack = High Low (Negative (Positive Feedback) detection - 10 seconds Page 28
Flexible Deployment Options Ready to Protect in Minutes Fits to Existing Network Topology Learning Mode Deployment Low Maintenance and Support 29
Emergency Response and Support Emergency Response Team Help from security experts when under DoS attacks Leverage experience gathered from real-life attacks Check Point customer support World-class support infrastructure Always-on support 7x24 Flexible service options 30
Summary Blocks DDoS Attacks Within Seconds Customized multi-layered DDoS protection Ready to protect in minutes Integrated with Check Point Security Management 31